How Not to Become the Next Big Phishing Headline

Editor´s note: This is a guest post by Dane Boyd, Lead Solution Manager at PhishLabs

If you’ve been in business for a while, you’re already acutely aware of the dangers of phishing. In fact, if your organization has been the victim of a data breach, there’s a more than 90% chance that your attackers utilized phishing or some other type of social engineering in order to gain and an initial foothold inside your network. Even when huge multinational corporations are breached, phishing is nearly always involved somewhere along the line. In nearly every case phishing has been used at some point in the attack.

So, if you want to ensure that your company’s name doesn’t get added to this list, you’re going to need to start taking phishing very seriously.

Technology isn’t enough

It’s true that organizations all over the world are starting to take cyber security seriously. Attend just one cyber security conference, and you’ll see first hand just how much organizations are willing to invest in defending against the latest threats.

But here’s the thing. While it would be nice if defending against cyber threats was simply a case of purchasing the latest security product, that just isn’t the case.

Security technologies are important, certainly, but they’re far from enough to ensure the ongoing safety of your organization’s network.

But you already knew that, didn’t you? You’ve seen it first-hand.

No matter how many advanced spam filters, content scanners, and email authentication protocols you employ, a substantial proportion of malicious emails still make it into your users’ inboxes.

Let me tell you now, you are not alone.

The average business email account receives just over 100 emails per day. Of those more than half are spam, and a little under one percent are malicious.

So what does this mean for an average organization? Well, let’s assume that organization has around 5,000 employees, and as a result receives approximately 276,500 spam emails per day. Let’s also assume that our fictitious organization employs an advanced spam filter, which performs as advertised and blocks 99% of all spam email.

Our fictitious organization can expect 2,765 spam emails to find their way into users’ inboxes on a daily basis. Of those, around 41 are likely to contain malicious attachments.

I’d like to point out, at this point, that the assumptions we’ve used are extremely generous. The vast majority of spam filters dramatically underperform when placed under real world strain, so blocking 99% of incoming spam email is highly unlikely in practice.

Not only that, we’ve only considered phishing emails that contain malicious attachment. In reality, a huge number of phishing emails utilize altogether different tactics in order to achieve their goals. Credential theft, CEO scams, spear phishing, and drive-by downloads are all commonly used phishing tactics that don’t rely on malicious attachments.

So What Now?

If technology isn’t enough to secure your organization against phishing scams, what can you do instead? After all, everybody knows that users cannot be relied upon in a security context.

Well, the first thing you’ll need to do is drop your mindset that people are purely a security liability. In fact, with the right training and preparation, people can become a huge security asset.

Well, yes and no. Yes, I’m talking about training your users to behave in a security conscious manner, but no, what I’m about to suggest bears no resemblance to the average security awareness training program.

You know the one. You’ve experienced the boredom and frustration of sitting in a hot, stuffy basement room, listening to a 17-year-old IT intern talk about the importance of not writing down your password on a sticky note and sticking it to your monitor.

Quite honestly, the average quality of security awareness training, even within huge multinational corporations who should know better, is absolutely abysmal. There is no amount of incremental improvement that could turn one of these programs into a genuinely valuable security resource.

You Want Us to Do What?!

Bear with me. If you wanted to learn the guitar, what would you do? You’d go out and buy a guitar, and then you’d play it every day, right?

Well learning to spot and report phishing emails is no different to any other skill. You have to practice it regularly.

No amount of classroom learning in isolation will prepare your users for phishing emails they’re guaranteed to receive. Equally, without the opportunity to consistently practice the skill of spotting phishing emails, your users will quickly fall out of practice, and back into old habits.

No. If you’re serious about combating phishing, you’re going to need to implement the program which consistently produces phishing simulations that resemble the latest real-world samples, sends them to all of your users, and tracks each user’s progress over time.

Not only that, you’ll also need to make use of the advanced tactics routinely used by phishing threat actors, such as email spoofing, which enables malicious email to appear as though it has been sent by a trusted source within your organization.

Now of course, you’ll need to provide your users with a level of training before the program starts. They’ll need to understand why the program is being implemented, what it’s intended to achieve, and how they are expected to respond to malicious emails and future.

You’ll also want to prepare your users with a basic understanding of phishing tactics, and show them examples of the types of emails they might receive.

Be careful, though, not to “over prepare” your users. Providing too much information upfront can easily overwhelm people, and actually reduce the impact of your program. Instead, it’s best to provide a minimum of information upfront, and allow your users to learn as they go.

As a rule, it’s best to provide additional training only to those users who “fail” a given simulation. After all, if they successfully identified one of your simulations, there’s really no need to bore them with knowledge they already possess.

It’s all about consistency

The thing about this style of training, which I like to call phishing defense training, is that it’s always a marathon, and never a sprint.

In my experience, most organizations start with a phishing susceptibility rate of around 30%, meaning that only three out of every ten simulations (or real phishing emails) will be successfully identified and reported.

Over time, as your users are exposed to increasingly complex phishing simulations, and additional training any time they “fail” a simulation, the susceptibility rate can be dramatically reduced. In my experience, any organization can improve their susceptibility rate to sub 5% in time if they are consistent in their efforts. Be careful though, it may be tempting to game the system by sending easier phish to show improvement. You must base simulations on real-life examples of phish. Sophistication level can easily skew your metrics. At the end of the day, what you want is for your users to be the last layer of defense. If you lose sight of that and only focus on driving the click rate down by sending out easy to spot phish, you risk missing the point entirely. You want them to be educated on what to look for and diligent in reporting suspicious emails.

Of course, it’s not reasonable to expect that any program can completely defend your organization against any phishing attack. If your susceptibility rate is reduced substantially, however, the few phishing attacks that do successfully fool your users can typically be nullified by technical controls (e.g., sensible user access management and network segmentation) or triaged by your incident response team.

Author´s Bio: Dane Boyd is the Lead Solution Manager for PhishLabs’ Managed Phishing Awareness Training. He has helped dozens of enterprises transform their employees into a powerful layer of threat prevention and detection. For more information, visit https://www.phishlabs.com and follow @phishlabs on Twitter.